BlueNoroff Group Releases New MacOS Malware Targeting Financial Institutions
BlueNoroff, a well-known hacking group with connections to Lazarus, has recently unveiled a brand-new malware specifically designed to target financial institutions on MacOS. Researchers from Jamf, an Apple device management firm, have discovered this threat while investigating the activities of BlueNoroff.
“The malware splits the command and control (C2) URL into two separate strings that get concatenated together. This is likely an attempt to evade static-based detection.”
– Jamf
In a detailed report published by Jamf, it was revealed that the malware uses a legitimate-looking cryptocurrency exchange as a cover. The attackers have been using the swissborg[.]blog domain, which they registered on May 31 and connected to an IP address associated with BlueNoroff’s infrastructure.
The Connection to Lazarus Group
Interestingly, this release comes shortly after the infamous Lazarus Group unleashed their new malware, known as “Kandykorn,” to target a crypto exchange. The Lazarus Group is known for its complex techniques, including reflective loading and a 5-stage process to deploy their advanced malware.
BlueNoroff’s Focus on Cryptocurrencies and Banks
BlueNoroff is a threat actor that specializes in targeting cryptocurrencies, crypto startups, and financial entities like banks. Jamf Threat Labs has observed that this new malware shares similarities with BlueNoroff’s RustBucket campaign, which was uncovered in April of this year. The RustBucket campaign focuses on compromising macOS devices and employs tactics like posing as an investor or headhunter to gain access to targets.
In order to avoid detection, BlueNoroff created a domain for the RustBucket campaign that appeared to belong to a legitimate crypto company. The aim was to blend in with network activity and evade detection. The same detection method was used by the Jamf team to identify the new malware.
Although the malware may seem simple, it is highly functional and enables the attackers to achieve their objectives. The researchers at Jamf have named this new detection “ObjCShellz” and consider it to be part of the RustBucket campaign.
This discovery highlights the continuing efforts of hacking groups like BlueNoroff and Lazarus to target financial institutions and exploit vulnerabilities in the cryptocurrency industry. It serves as a reminder for businesses to prioritize cybersecurity and remain vigilant against evolving threats.